Remove Portal accounts from Organization group

I have Portal setup to authenticate via AD and allow users to login, which creates a portal user thus giving them access to Organization content per the docs. Which is fine. I also have project-specific accounts that I only want to be able to see specific groups and not all Organization content.

The only way I have been able to limit accounts to specific groups is to remove maps/apps from the org group and then add users to the project specific groups.

I only see a couple of possibilities:

Remove a user from the Organization group; I don't see an option for that

Change the default group for the automatically created AD users; don't see an option for that